[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Kristian Gjøsteen kristian.gjosteen at math.ntnu.no
Fri Sep 6 03:03:27 EDT 2013

5. sep. 2013 kl. 23:14 skrev Tim Dierks <tim at dierks.org>:

> I believe it is Dual_EC_DRBG. The ProPublica story says:
> Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” 
> This appears to describe the NIST SP 800-90 situation pretty precisely. I found Schneier's contemporaneous article to be good at refreshing my memory: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this problem (we only stated that Q had to be chosen at random, Ferguson &co were right to emphasize this point), I would like to ask:

	Has anyone, anywhere ever seen someone use Dual-EC-DRBG?

I mean, who on earth would be daft enough to use the slowest possible DRBG? If this is the best NSA can do, they are over-hyped.

(If you really do want to use Dual-EC-DRBG: truncate more than 16 bits, and don't use NSA's points, choose your own - at random.)

Kristian Gjøsteen

More information about the cryptography mailing list